Showing content from https://greenbytes.de/tech/webdav/draft-ietf-httpbis-cookie-alone-latest-from-previous.diff.html below:
Diff: draft-ietf-httpbis-cookie-alone-01.txt - draft-ietf-httpbis-cookie-alone-latest.txt
draft-ietf-httpbis-cookie-alone-01.txt draft-ietf-httpbis-cookie-alone-latest.txt HTTP Working Group M. West HTTP Working Group M. West Internet-Draft Google, Inc Internet-Draft Google, Inc Updates: 6265 (if approved) September 5, 2016 Updates: 6265 (if approved) September 6, 2018 Intended status: Standards Track Intended status: Standards Track Expires: March 9, 2017 Expires: March 10, 2026 Deprecate modification of 'secure' cookies from non-secure origins Deprecate modification of 'secure' cookies from non-secure origins draft-ietf-httpbis-cookie-alone-01 draft-ietf-httpbis-cookie-alone-latest Abstract Abstract This document updates RFC6265 by removing the ability for a non- This document updates RFC6265 by removing the ability for a non- secure origin to set cookies with a 'secure' flag, and to overwrite secure origin to set cookies with a 'secure' flag, and to overwrite cookies whose 'secure' flag is set. This deprecation improves the cookies whose 'secure' flag is set. This deprecation improves the isolation between HTTP and HTTPS origins, and reduces the risk of isolation between HTTP and HTTPS origins, and reduces the risk of malicious interference. malicious interference. Note to Readers Note to Readers Discussion of this draft takes place on the HTTP working group Discussion of this draft takes place on the HTTP working group mailing list (ietf-http-wg@w3.org), which is archived at mailing list (ietf-http-wg@w3.org), which is archived at https://lists.w3.org/Archives/Public/ietf-http-wg/. https://lists.w3.org/Archives/Public/ietf-http-wg/ [1]. Working Group information can be found at http://httpwg.github.io/; Working Group information can be found at http://httpwg.github.io/ source code and issues list for this draft can be found at [2]; source code and issues list for this draft can be found at https://github.com/httpwg/http-extensions/labels/cookie-alone. https://github.com/httpwg/http-extensions/labels/cookie-alone [3]. Status of this Memo Status of This Memo This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." material or to cite them other than as "work in progress." This Internet-Draft will expire on March 9, 2017. This Internet-Draft will expire on March 10, 2026. Copyright Notice Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. described in the Simplified BSD License. Table of Contents Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology and notation . . . . . . . . . . . . . . . . . . . 3 2. Terminology and notation . . . . . . . . . . . . . . . . . . 3 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 3 4. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 4. Security Considerations . . . . . . . . . . . . . . . . . . . 4 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1. Normative References . . . . . . . . . . . . . . . . . . . 5 5.1. Normative References . . . . . . . . . . . . . . . . . . 4 5.2. Informative References . . . . . . . . . . . . . . . . . . 5 5.2. Informative References . . . . . . . . . . . . . . . . . 5 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 6 5.3. URIs . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . . 6 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 6 B.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . . 6 Appendix B. Changes . . . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6 B.1. Since -00 . . . . . . . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction 1. Introduction Section 8.5 and Section 8.6 of [RFC6265] spell out some of the Section 8.5 and Section 8.6 of [RFC6265] spell out some of the drawbacks of cookies' implementation: due to historical accident, drawbacks of cookies' implementation: due to historical accident, non-secure origins can set cookies which will be delivered to secure non-secure origins can set cookies which will be delivered to secure origins in a manner indistinguishable from cookies set by that origin origins in a manner indistinguishable from cookies set by that origin itself. This enables a number of attacks, which have been recently itself. This enables a number of attacks, which have been recently spelled out in some detail in [COOKIE-INTEGRITY]. spelled out in some detail in [COOKIE-INTEGRITY]. skipping to change at page 5, line 14 ¶ skipping to change at page 5, line 6 ¶ The proposal in [COOKIE-PREFIXES] could mitigate this risk, as could The proposal in [COOKIE-PREFIXES] could mitigate this risk, as could "preloading" HSTS for "example.com" into the user agent "preloading" HSTS for "example.com" into the user agent [HSTS-PRELOADING]. [HSTS-PRELOADING]. 5. References 5. References 5.1. Normative References 5.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>. [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005, <http://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>. [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, DOI 10.17487/RFC6265, April 2011, DOI 10.17487/RFC6265, April 2011, <http://www.rfc-editor.org/info/rfc6265>. <https://www.rfc-editor.org/info/rfc6265>. 5.2. Informative References 5.2. Informative References [COOKIE-INTEGRITY] [COOKIE-INTEGRITY] Zheng, X., Jiang, J., Liang, J., Duan, H., Chen, S., Wan, Zheng, X., Jiang, J., Liang, J., Duan, H., Chen, S., Wan, T., and N. Weaver, "Cookies Lack Integrity: Real-World T., and N. Weaver, "Cookies Lack Integrity: Real-World Implications", August 2015, <https://www.usenix.org/ Implications", August 2015, conference/usenixsecurity15/technical-sessions/ <https://www.usenix.org/conference/usenixsecurity15/ presentation/zheng>. technical-sessions/presentation/zheng>. [COOKIE-PREFIXES] [COOKIE-PREFIXES] West, M., "Cookie Prefixes", 2016, <https:// West, M., "Cookie Prefixes", 2016, tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes>. <https://tools.ietf.org/html/draft-ietf-httpbis-cookie- prefixes>. [HSTS-PRELOADING] [HSTS-PRELOADING] "HSTS Preload Submission", n.d., "HSTS Preload Submission", n.d., <https://hstspreload.appspot.com/>. <https://hstspreload.appspot.com/>. [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict [RFC6797] Hodges, J., Jackson, C., and A. Barth, "HTTP Strict Transport Security (HSTS)", RFC 6797, DOI 10.17487/ Transport Security (HSTS)", RFC 6797, RFC6797, November 2012, DOI 10.17487/RFC6797, November 2012, <http://www.rfc-editor.org/info/rfc6797>. <https://www.rfc-editor.org/info/rfc6797>. 5.3. URIs [1] https://lists.w3.org/Archives/Public/ietf-http-wg/ [2] http://httpwg.github.io/ [3] https://github.com/httpwg/http-extensions/labels/cookie-alone Appendix A. Acknowledgements Appendix A. Acknowledgements Richard Barnes encouraged a formalization of the deprecation Richard Barnes encouraged a formalization of the deprecation proposal. [COOKIE-INTEGRITY] was a useful exploration of the issues proposal. [COOKIE-INTEGRITY] was a useful exploration of the issues [RFC6265] described. [RFC6265] described. Appendix B. Changes Appendix B. Changes B.1. Since -00 B.1. Since -00 End of changes. 17 change blocks. 36 lines changed or deleted 46 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/
RetroSearch is an open source project built by @garambo
| Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4